This Quick Start’s architecture includes a number of AWS services and constructs, to create a highly scalable, highly available SaaS identity and isolation solution that conforms to best practices for deploying a container-based application in a virtual private cloud (VPC) that spans two Availability Zones.

The SaaS reference application client is deployed using Amazon Simple Storage Service (Amazon S3). All of the assets of this AngularJS application are deployed to, and served from, an S3 bucket. The deployed web application interacts with the application’s back-end services through RESTful calls that are routed through Amazon API Gateway, supplying tenant identity context with each call.

API Gateway provides a natural way to expose your services in SaaS environments, allowing you to better meter and throttle access to your environment. It also supports a custom authorizer that can validate the system’s identity tokens on each attempt to access services. This authorizer is implemented as an AWS Lambda function that allows you to create custom authorization logic for requests as they flow though the gateway.

Within the VPC, the architecture employs network address translation (NAT) gateways deployed in separate Availability Zones. These gateways, which are hosted in the VPC’s public subnets, provide high availability routing of traffic that flows from your private subnets to other AWS services or to the Internet.

The core of the SaaS application’s services are hosted in the VPC’s private subnets. An Amazon ECS cluster hosts the containers that run the system’s microservices. Seven separate Node.js microservices are deployed in this cluster. This cluster also employs Auto Scaling for basic high availability. You can further tune this cluster to dynamically respond to changes in tenant load, scaling up and down based on demand. Each service applies the context of a tenant's identity to control and scope access to the system's resources.

The reference application uses a variety of AWS services; for example:

• Amazon DynamoDB tables are provisioned in a multi-tenant model for services that require storage.
• AWS Identity and Access Management (IAM) manages and applies isolation polices and roles to prevent cross-tenant access.
• Amazon Cognito serves as the identity provider, storing attributes that identify each tenant.
• Amazon Simple Notification Service (Amazon SNS) publishes validation emails during the user registration process.

The architecture also supports continuous deployment: It uses a combination of AWS CodePipeline, AWS CodeBuild, S3 buckets, and the Amazon EC2 Container Registry (Amazon ECR) to manage the build and deployment of new application features.